[dns-operations] Incomplete type bitmaps in NSEC(3) records and aggressive use of DNSSEC validated cache

Ruben van Staveren ruben at verweg.com
Thu Sep 9 11:15:21 UTC 2021


Vladimír, Petr,

Thank you for the insight, we’ll inform the domain owners and and after a grace period turn on the rfc8198 style validation again.

Best Regards,
    Ruben

> On 8 Sep 2021, at 14:37, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
> 
> Hello.
> 
> On 08/09/2021 11.12, Ruben van Staveren via dns-operations wrote:
>> should we do more analysis of this phenomenon and even have a dns flag day before even more resolvers and operators are going to implement RFC8198? There might be an issue by deliberately exploiting this and make websites/mail unreachable.
> Measuring how much this happens might be nice (or similar problems), but I don't think it will be worth a flag day.  Aggressive resolvers have been deployed for years, and it apparently hasn't caused that much trouble.
> 
> As for possibility of exploitation... experience (e.g. with F5) shows that some parties just won't fix stuff until there's significant pressure.  I'd think that now the "gradient" for this is that operators should deploy aggressive caching instead of delaying, and that will help cleaning up this behavior (which has been non-compliant since RFC 4034+, not since 8198).
> 
> --Vladimir | knot-resolver.cz
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210909/6f1e5b20/attachment.sig>


More information about the dns-operations mailing list